Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

TZ-500 - Loads of Probably and Possible Port Scans

This is coming from an unknown IP on the X1 to our public IP on X1 using port 443.

-Created an Address Object with the IP that is scanning (WAN)
-Created a WAN to WAN access rule to Deny the IP in question

Not sure what is wrong with my Access rule, but these port scans are coming once a minute.

Suggestions welcome!

Category: Entry Level Firewalls
Reply

Answers

  • Nathan_MNathan_M Newbie ✭

    Does the new access rule have a higher priority than other WAN-to-WAN access rules? Are there any conflicting rules with a higher priority than your new rule?

  • jarmstrongjarmstrong Newbie ✭

    It has the highest priority

  • ArkwrightArkwright Community Legend ✭✭✭✭✭
    edited 10:02AM

    I think that port scan detection detects port scans whether your firewall would have allowed the traffic or not, so having a rule makes no difference.

    Additionally, I have a suspicion that some innocuous patterns of traffic will trigger the detection; imagine a scenario where clients open multiple connections to a web server on port 443. The connections to the server will all come from random high ports to the same port. The firewall sees all the replies from the server's IP going back to multiple ports and this matches the "port scan" pattern, and raises an alert.

    For these reasons, I think port scan detection is just noise and you should disable it.

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    Everything online is constantly scanned so I don't think those alerts have much value. I always disable it from the diag page.

    What might have value would be dynamic blocking logic, where ports would be blocked by source IP if the firewall detects probing to consecutive ports in a short time period.

Sign In or Register to comment.